Following my blog post RFC 6176 - what’s in for you [2], I received a couple of emails regarding how to (test) connect with SSL/TLS to a SMTP, IMAP, POP3 or FTP server, the brief examples from my previous blog entry being vague.

First of all, when using SSL/TLS with a SMTP, IMAP or POP3 server, you can use STARTTLS or SSL wrapped service. Using STARTTLS with IMAP or POP3 is described within RFC 2595. [1] Using STARTTLS with SMTP is described within RFC 2487. [3] Normally you connect to the regular SMTP, IMAP or POP3 port and request the starting of a secure connection with the STARTTLS command(this command may vary per protocol); usually the SMTP port is TCP port 25, the IMAP port is the TCP port 143 and the POP3 port is the TCP port 110. The SSL wrapped service means that you connect directly with SSL/TLS to a specified port listening for SSL/TLS connections; usually the SMTPS port is TCP port 465, the IMAPS port is the TCP port 993 and the POP3S port is the TCP port 995.

With FTP, you can have explicit FTP over SSL [6] or implicit FTP over SSL. [7]With explicit FTP over SSL you usually connect to the FTP TCP port 21 and request the starting of a secure connection with the AUTH TLS command. With implicit FTP over SSL, you connect directly with SSL/TLS to a specified port listening for SSL/TLS connections; usually the port is TCP port 990.

In terms of test clients you have two nice utilities, the openssl s_client [4] and the gnutls-cli. [5] Both OpenSSL and GnuTLS can be installed on Linux and Windows(or Mac). OpenSSL provides support for SSL 2.0, SSL 3.0 and TLS 1.0; plus it has support for ECC. GnuTLS, version 2.10+ provides support for SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2. Probably the simplest way to test is with the openssl s_client.

- Example, for SMTP(see below the colored text for a real world example, with green are the commands I’ve typed), we enter: gnutls-cli -s -p 25 --crlf --insecure smtp.example.net Then at the prompt enter EHLO. The server lists its options, you should spot the STARTTLS one. Next at the prompt enter STARTTLS. The server should say 220 so you can start the TLS connection. Then hit Ctrld-d(I believe on Windows is Ctrl-z, but on the GnuTLS Windows version this does not seem to work properly, at least on my Win7 machine) to start the TLS handshake.

- Example, for POP3, we enter: gnutls-cli -s -p 110 --crlf --insecure pop3.example.net Then at the prompt enter STLS. The server should say OK so you can start the TLS connection. Next hit Ctrld-d(I believe on Windows is Ctrl-z, but on the GnuTLS Windows version this does not seem to work properly, at least on my Win7 machine) to start the TLS handshake.

---

- Example, for IMAP, we enter: gnutls-cli -s -p 143 --crlf --insecure imap.example.net Then at the prompt enter . STARTLS. The server should say OK so you can start the TLS connection. Next hit Ctrld-d(I believe on Windows is Ctrl-z, but on the GnuTLS Windows version this does not seem to work properly, at least on my Win7 machine) to start the TLS handshake.

---

- Example, for explicit FTP over SSL, we enter: gnutls-cli -s -p 21 --crlf --insecure ftp.example.net Then at the promp enter AUTH TLS. The server should say 234 so you can start the TLS connection. Next hit Ctrld-d(I believe on Windows is Ctrl-z, but on the GnuTLS Windows version this does not seem to work properly, at least on my Win7 machine) to start the TLS handshake.

---

For a wrapped service or implicit FTP over SSL we connect with the gnutls-cli just like to a HTTPS server: gnutls-cli -p ‘portnumber’ --insecure --crlf ‘servername’

Example, for SMTPS:gnutls-cli -p 465 --insecure --crlf smtp.gmail.com

---

You can play as usual with the needed protocols or cipher suites. Upon the connection was successfully established, you can test your server similarly you do it with a telnet client.

-------

References

[1] Using TLS with IMAP, POP3 and ACAP http://www.ietf.org/rfc/rfc2595.txt

[2] RFC 6176 - what’s in for you http://www.carbonwind.net/blog/post/RFC-6176-what’s-in-for-you.aspx

[3] SMTP Service Extension for Secure SMTP over TLS http://www.ietf.org/rfc/rfc2487.txt